Conexant's MicTray64.exe is installed with the Conexant audio driverpackage and registered as a Microsoft Scheduled Task to run after eachuser login. The program monitors all keystrokes made by the user tocapture and react to functions such as microphone mute/unmutekeys/hotkeys. Monitoring of keystrokes is added by implementing a low-level keyboard input hook [1] function that is installed by callingSetwindowsHookEx().

In addition to the handling of hotkey/function key strokes, all key-scancode information [2] is written into a logfile in a world-readablepath (C:\Users\Public\MicTray.log). If the logfile does not exist orthe setting is not yet available in Windows registry, all keystrokesare passed to the OutputDebugString API, which enables any process inthe current user-context to capture keystrokes without exposingmalicious behavior. Any framework and process with access to theMapViewOfFile API should be able to silently capture sensitive data bycapturing the user's keystrokes. In version 10.0.0.31, onlyOutputDebugString was used to forward key scancodes and nothing waswritten to files. The following pseudocode shows the registration ofthe keylogging function handler of MicTray64.exe version 1.0.0.46:

This issue leads to a high risk of leaking sensitive user input to anyperson or process that is able to read files inC:\Users\Public\MicTray.log or call MapViewOfFile(). Investigatorswith access to the unencrypted file-system might be able to recoversensitive data of historic key-logs as well. Users are not aware thatevery keystroke made while entering sensitive information - such aspassphrases, passwords on local or remote systems - are captured byConexant and exposed to any process and framework with access to thefile-system or MapViewOfFile API.Additionally, this information-leak via Covert Storage Channelenables malware authors to capture keystrokes without taking the riskof being classified as malicious task by AV heuristics.

It is not recommended to provide information on keystrokes toarbitrary processes by writing keystrokes to disk or by usingOutputDebugStringW() for debugging purposes.

Any process that is running in the current user-session and thereforeable to monitor debug messages, can capture keystrokes made by theuser. Processes are thus able to record sensitive data such aspasswords, without performing suspicious activities that may triggerAV vendor heuristics. Furthermore, any process running on the systemby any user is able to access all keystrokes made by the user viafile-system access. It is not known, if log-data is submitted toConexant at any time or why all key presses are logged anyway.

Any framework that provides an API down to ReadFile() or Microsoft'sMapViewOfFile() should be able to capture keystrokes captured byConexant's audio driver utils. By using Microsoft Windows SysinternalsDbgview [5], keystrokes can be visualized easily, if they are notwritten to file.

Delete MicTray executables and logfiles. Deleting the ScheduledTask is not sufficient, as Conexant's Windows Service CxMonSvc willlaunch MicTray otherwise. The executable is located atc:\Windows\System32\MicTray64.exe, the MicTray logfile is located atC:\Users\Public\MicTray.log

---------------------------------------------------------------------10. About modzero---------------------------------------------------------------------

The independent Swiss company modzero AG assists clients withsecurity analysis in the complex areas of computer technology. Thefocus lies on highly detailed technical analysis of concepts,software and hardware components as well as the development ofindividual solutions. Colleagues at modzero AG work exclusively inpractical, highly technical computer-security areas and can draw ondecades of experience in various platforms, system concepts, anddesigns.

https://www.modzero.chcontact@modzero.ch

Sorry, you are not allowed to see this part of the text. Por favor ingresa o regístrate.

/ modzero Security Advisory

..el spyware (Bloatware para telemetría) es mas reciente:

Citar

On HP's customer forum, one user even reported that due to more than 95 percent CPU usage by the analytics service, his system anti-malware software started checking for suspicious activity.

Sorry, you are not allowed to see this part of the text. Por favor ingresa o regístrate.

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners. See details.
Learn more